Help deb608** ruins my computer

Help!

Hi, I'm new here at major geeks and i've got a serious problem with my computer. I've got the file deb60819.exe in C:\Program Files\Common Files\System and is also a process in my task manager.

about every 30 seconds this file screws up my page file usage history by slowly going up. atm it's 521 MB's and every 30 sec's it slowly goes up to 2521 MB's and stays there for a while and then comes back to 521.

Please help quickly!



OS: Windows XP professional Dutch version 2002
Service Pack 2

 

Welcome to MajorGeeks.com, please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:

• CounterSpy
• AVG Antispyware Log - ONLY IF NEEDED you were not able to run CounterSpy
• Bitdefender - from step 6
• Panda Scan - from step 6
• runkeys.txt - the log from GetRunKey.bat
• newfiles.txt - the log from ShowNew.bat
• HijackThis

 

Okey.. 2nd try!!

I got a problem with the bitdefender.. it got stuck on the last file to scan

 

here is hijack,, panda comes later

 

I remember that at the end of the BitDefender scan, it found 3 infected files, which BitDefender deleted.

here is the Panda scan

 

Deb60819 changed to Deb60818 since counterspy blocked deb60819 from startup registry. Problem occurs when trend micro warns us about http://www.kjdhendieldiouyu.com/cfdata.ima?ccode=AU&cfdatacc=AU&gmt=1170065644
which tries to open and trend micro blocks it. Mb Ram is building up until maximum and then suddenly returns to normal 30 seconds.

 

Your HijackThis log is from Safe Mode. I need a log from Normal Mode.

 

AARgh!



here you go...

 

deb60818 has now changed to deb60911.

 

I tried to delete the file c:\program files\common files\system\deb60911 but the system created the file again on the same place... it just came back :S

 

I've rebooted and this time the problem didn't occur and deb60911 wasn't shown in the task manager as a process either.
But this has happened before and after a while it will show up again. confused


Some help here please!!

Marco,

 

Download
- Pocket Killbox
- ExplorerXP

Using Add or Remove Programs in the Control Panel; uninstall the following:

Install the current version of Adobe Acrobat Reader from: Adobe Acrobat Reader Download

Install Java Runtime Environment (JRE) 6 available from Sun Microsystems.

Messenger Plus! Live is responsible for your infection.

gdimx and mplay64 are both Trojans.

In Windows Messenger Live - disable the "Customer Experience Improvement Program" feature:
• Under Help, Click on the "Customer Experience Improvement Program" menu option.

Download and Install Registrar Lite

Run Registrar Lite navigate to the following keys and take ownership of them (explained further down):

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_CMDSERVICE]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NETWORK_MONITOR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_NETWORK_MONITOR]

To take ownership of the key do the following:

• Copy & Paste one registry key from above into the address bar of Registrar Lite and hit the enter key. This will bring you to the registry key.
• Click-on Security in the Menu
• Select Take Ownership
• Now right click on the registry key and select delete
• Repeat for all three registry keys
• Tell me the results. Any errors??? If so, make sure you tell me the exact error message and exactly on which keys it occurs.
• Then if there was an error, boot into safe mode and retry all of the above.
• Again keep track of errors and give a report of the results.

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

Run HijackThis, choose "Open the Misc Tools Section", choose "Process Manager", Highlight:

Choose Kill Process. Click on the "Back" Button

Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

Now run CCleaner.

As an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post fresh logs for the following:
1. ShowNew
2. GetrRunKey
3. HijackThis

 

i'm getting on it right now. Thanks alot!


I got a message gdimx was already removed from my computer

 

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_CMDSERVICE]
and
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR\0000]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_NETWORK_MONITOR]

are not present...

 

Problem didn't occur at reboot to normal mode, but as I said the problem doesn't always occur.
When I look in C:\Program Files\Common Files\System I don't see the file deb60911.exe anymore... but I do see deb60910.exe. I guess deb60911.exe has been deleted, but deb60910.exe has replaced it.

!!NO GOOD!!

 

Using Add or Remove Programs in the Control Panel; uninstall the following:

Run HijackThis. Click the 'Do a system scan only' button. Place a checkmark in the box next to the following lines:

Click on the 'Fix checked' button. Wait for HijackThis to finish; close HijackThis.

Now run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

REBOOT to Normal Mode.

Post fresh logs for the following:
1. ShowNew
2. GetrRunKey
3. HijackThis

 

is everything you tell me to delete all the rubish that's on my computer? or is that just all related to deb60***.exe.

If you have time......... could you tell me what rubbish to delete??


thanks,
Marco

 

Everything I am having you uninstall and delete is part of the problem.

You have some Trojan files that are being regenerated when you restart the system. Look at the programs listed in Add or Remove Programs for installed programs that you don't recall installing, make a list of those and post that list here.

Let's take a look for Rootkits. Follow the instructions for Using Sophos Anti-Rootkit.

Post the log from Sophos Anti-Rootkit and the list of install programs you don't recognize.

 

RadLinker and System Requirements Lab are 2 programs in the add/remove programs list that I don't recall installing.

there is also CLI.exe, Dit.exe and DitExp.exe running in my process list in task manager. are these meant to be there or is it just rubbish taking in my computer's memory?

There is also C:\WINDOWS\system32\rundll32.exe on my computer, and I saw somewhere else here on MajorGeeks.com that someone recommended to delete that. (it showed up as a running process in task manager)

should I delete this too? or is it not a problem for me?

 

Both of these are legit. RadLinker is for over clocking your ATI video card and System Requirements Lab is http://www.systemrequirementslab.com

All legit CLI.exe is for your ATI video card and the other 2 are for a USB card reader.

No, rundll is a require MS process, it's what rundll32 is running that is important. It could be legit or it cold be malicious. Just depends on the dll being loaded.

Post fresh ShowNew and GetRunKey logs. This, C:\WINDOWS\system32\taskmgr.exe, is showing up in your HJT log again.

 

that's just my task manager. I'm sorry but because of the deb608** I had to end that process about every minute, so that I could use the computer normally. It's become a habit now to check that deb bastard every time.

 

I know that was Task Manger. Sometimes legit files get replaced and then display in the running processes. I should have asked if you had it open.

How is your computer running?

 

before you helped me delete unwanted files from my computer, the memory use was always around 700MB, now that has lowered to 500MB.
When I joined MajorGeeks I had 3 problems with my computer:

1. deb60***.exe ruined my computer memory in a really weird way.
2. average memory use was always around 700MB.
3. it takes about 5 minutes to start-up my computer.

problem 1 is fixed, problem 2 is "partially" fixed (memory use has lowered, problem 3 is not fixed at all...

If you have any more tips, please fill me in.

I also have a thread open Hardware "RAM questions", where I talked about these problems, but I haven't had many replies.

I've attached HJT, runkeys and newfiles, maybe you can notice other issues on my computer.

 

OK, were are making progress.

Using Add or Remove Programs in the Control Panel; uninstall the following:

What is SpamWeed?

Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).

Close Notepad.

Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.

run Pocket Killbox:

Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.

NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..

Select:

• Delete on Reboot
• then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open ExplorerXP navigate to and DELETE the following:[/color]

Now run CCleaner.

Then, as an added precaution, Go to Start -> Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:

Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

REBOOT to Normal Mode.

Post fresh logs for the following:
1. ShowNew
2. GetrRunKey
3. HijackThis

 

I went to spamweed.com and spamweed is a spam filter. I remember the SpamWeed logo from somewhere so I think I've used it sometime. The problem here is; I looked in the HJT log file and what I saw was this:

O4 - Global Startup: SpamWeed .lnk = C:\Program Files\SpamWeed\swengine.exe

I navigated to C:\Program Files\ but I couldn't find SpamWeed anywhere, I made the computer look for SpamWeed files, and it's got some files in my documents and a link in the Start Menu that leeds to nowhere.

I guess I should delete all files related to SpamWeed as it looks like most of it has already been deleted?



PS. if there are some programs I don't want to allow to load at startup, can I use HijackThis to delete some files from the startup 'registry'?

 

I really appriciate your help!

thanks,
Marco

 

You have a couple of fix that look like they are part of Trojan.Qhosts

Try using the Symantec removal tool to clean the infections of Trojan.Qhosts.

Post a fresh ShowNew log

 

no Trojan.Qhost found by the scanner.

can I delete O4 - Global Startup: SpamWeed .lnk = C:\Program Files\SpamWeed\swengine.exe in HJT as the program isn't on my computer anymore.

thanks,
Marco



PS. problem 3 hasn't been solved yet.

 

Is that all? computer clean?

And..

can I delete O4 - Global Startup: SpamWeed .lnk = C:\Program Files\SpamWeed\swengine.exe in HJT as the program isn't on my computer anymore.

 

Sorry, I've been away for a few days.

I'm not seeing anything in your logs that would explain the slow down. There is a new version of GetRunKey, download and run the new version and post that log.

Also, disable Internet Connection Sharing. What does that do for boot times?

 

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

What can I do with these?

Also, can I use MSCONFIG --> Startup to get programs out of the startup system?
or would this do the same as HJT?

eg. Daemon Tools DAEMON Tools] "D:\DAEMON Tools\daemon.exe

The way I see it: HJT actually deletes the file and in MSCONFIG you just check/uncheck the files whenever you want to.
(I've never tried this before, it's just a guess)

I don't really know what Internet Connection Sharing is for. (as I don't use this computer as an internet connection center [other computers connected to this one])
And I've got no idea how to disable that.



Oh, and I don't use wireless internet connection on this computer. So can I uncheck (in MSCONFIG)
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe

or in HJT
WG111v2 Smart Wizard Wireless Setting.lnk = ?